Usually, Daml users expect that the
ensure clause holds for every active contract because it’s checked at creation time. However, because it’s only checked at creation time, I’m wondering what guarantees we get in the presence of malicious submitters. Consider this case:
- Party A is hosted on participant PA, Party B is hosted on participant PB.
- Party A hacks their participant to allow creation of a contract they’re the only stakeholder on which violates the ensure clause.
- Now Party A submits a transaction that fetches that contract and that fetch is divulged to participant PB (because B is a witness).
Does participant PB check that the ensure clause holds as part of model conformance and reject that transaction or is it accepted?